1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

gpg: Change update_keysig_packet to replace SHA-1 by SHA-256.

* g10/sign.c (update_keysig_packet): Convert digest algo when needed.
--

Several gpg commands try to keep most properties of a key signature
when updating (i.e. creating a new version of a key signature).  This
included the use of the current hash-algorithm.  This patch changes
this so that SHA-1 or RMD160 are replaced by SHA-256 if
possible (i.e. for RSA signatures).  Affected commands are for example
--quick-set-expire and --quick-set-primary-uid.

GnuPG-bug-id: 4508
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2019-05-13 19:01:28 +02:00
parent 8d0d61aca3
commit c1dc7a8329
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -1593,6 +1593,13 @@ update_keysig_packet (ctrl_t ctrl,
if ( opt.cert_digest_algo ) if ( opt.cert_digest_algo )
digest_algo = opt.cert_digest_algo; digest_algo = opt.cert_digest_algo;
else if (pksk->pubkey_algo == PUBKEY_ALGO_DSA
|| pksk->pubkey_algo == PUBKEY_ALGO_ECDSA
|| pksk->pubkey_algo == PUBKEY_ALGO_EDDSA)
digest_algo = orig_sig->digest_algo;
else if (orig_sig->digest_algo == DIGEST_ALGO_SHA1
|| orig_sig->digest_algo == DIGEST_ALGO_RMD160)
digest_algo = DEFAULT_DIGEST_ALGO;
else else
digest_algo = orig_sig->digest_algo; digest_algo = orig_sig->digest_algo;